From 59d954910cdf1c55be56986e9414837106c3b5e1 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Thu, 29 May 2025 22:13:22 +0530 Subject: [PATCH 1/7] add mising relationship and pkg external info --- github/dependency_graph.go | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index 86a1fe48b98..e1ef62b609c 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -28,12 +28,32 @@ type CreationInfo struct { type RepoDependencies struct { SPDXID *string `json:"SPDXID,omitempty"` // Package name - Name *string `json:"name,omitempty"` - VersionInfo *string `json:"versionInfo,omitempty"` - DownloadLocation *string `json:"downloadLocation,omitempty"` - FilesAnalyzed *bool `json:"filesAnalyzed,omitempty"` - LicenseConcluded *string `json:"licenseConcluded,omitempty"` - LicenseDeclared *string `json:"licenseDeclared,omitempty"` + Name *string `json:"name,omitempty"` + VersionInfo *string `json:"versionInfo,omitempty"` + DownloadLocation *string `json:"downloadLocation,omitempty"` + FilesAnalyzed *bool `json:"filesAnalyzed,omitempty"` + LicenseConcluded *string `json:"licenseConcluded,omitempty"` + LicenseDeclared *string `json:"licenseDeclared,omitempty"` + ExternalRefs []*ExternalRef `json:"externalRefs"` +} + +// ExternalRef represents an external reference (e.g., PURL/SWID/CPE) for a package in the SBOM. +type ExternalRef struct { + ReferenceCategory string `json:"referenceCategory"` + ReferenceType string `json:"referenceType"` + ReferenceLocator string `json:"referenceLocator"` +} + +// Relationship represents a relationship between two packages in the SBOM. +type Relationship struct { + // Element ID + SpdxElementId *string `json:"spdxElementId,omitempty"` + + // Related Element ID + RelatedSpdxElement *string `json:"relatedSpdxElement,omitempty"` + + // Relationship type, e.g., "DEPENDS_ON", "CONTAINS", etc. + RelationshipType *string `json:"relationshipType,omitempty"` } // SBOMInfo represents a software bill of materials (SBOM) using SPDX. @@ -53,6 +73,9 @@ type SBOMInfo struct { // List of packages dependencies Packages []*RepoDependencies `json:"packages,omitempty"` + + // List of relationships between packages + Relationships []*Relationship `json:"relationships,omitempty"` } func (s SBOM) String() string { From 21969446b865642477935c3eccc9530d9f22de6f Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Thu, 29 May 2025 22:41:44 +0530 Subject: [PATCH 2/7] fix liniting --- github/dependency_graph.go | 2 +- github/github-accessors.go | 24 ++++++++++++++++++++++++ github/github-accessors_test.go | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index e1ef62b609c..42e79a489a7 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -47,7 +47,7 @@ type ExternalRef struct { // Relationship represents a relationship between two packages in the SBOM. type Relationship struct { // Element ID - SpdxElementId *string `json:"spdxElementId,omitempty"` + SpdxElementID *string `json:"spdxElementId,omitempty"` // Related Element ID RelatedSpdxElement *string `json:"relatedSpdxElement,omitempty"` diff --git a/github/github-accessors.go b/github/github-accessors.go index 307d6e339d3..309f8e3fa33 100644 --- a/github/github-accessors.go +++ b/github/github-accessors.go @@ -20934,6 +20934,30 @@ func (r *RegistryPackageEvent) GetSender() *User { return r.Sender } +// GetRelatedSpdxElement returns the RelatedSpdxElement field if it's non-nil, zero value otherwise. +func (r *Relationship) GetRelatedSpdxElement() string { + if r == nil || r.RelatedSpdxElement == nil { + return "" + } + return *r.RelatedSpdxElement +} + +// GetRelationshipType returns the RelationshipType field if it's non-nil, zero value otherwise. +func (r *Relationship) GetRelationshipType() string { + if r == nil || r.RelationshipType == nil { + return "" + } + return *r.RelationshipType +} + +// GetSpdxElementID returns the SpdxElementID field if it's non-nil, zero value otherwise. +func (r *Relationship) GetSpdxElementID() string { + if r == nil || r.SpdxElementID == nil { + return "" + } + return *r.SpdxElementID +} + // GetBrowserDownloadURL returns the BrowserDownloadURL field if it's non-nil, zero value otherwise. func (r *ReleaseAsset) GetBrowserDownloadURL() string { if r == nil || r.BrowserDownloadURL == nil { diff --git a/github/github-accessors_test.go b/github/github-accessors_test.go index f2a51a6028c..3bea6034ab6 100644 --- a/github/github-accessors_test.go +++ b/github/github-accessors_test.go @@ -26965,6 +26965,39 @@ func TestRegistryPackageEvent_GetSender(tt *testing.T) { r.GetSender() } +func TestRelationship_GetRelatedSpdxElement(tt *testing.T) { + tt.Parallel() + var zeroValue string + r := &Relationship{RelatedSpdxElement: &zeroValue} + r.GetRelatedSpdxElement() + r = &Relationship{} + r.GetRelatedSpdxElement() + r = nil + r.GetRelatedSpdxElement() +} + +func TestRelationship_GetRelationshipType(tt *testing.T) { + tt.Parallel() + var zeroValue string + r := &Relationship{RelationshipType: &zeroValue} + r.GetRelationshipType() + r = &Relationship{} + r.GetRelationshipType() + r = nil + r.GetRelationshipType() +} + +func TestRelationship_GetSpdxElementID(tt *testing.T) { + tt.Parallel() + var zeroValue string + r := &Relationship{SpdxElementID: &zeroValue} + r.GetSpdxElementID() + r = &Relationship{} + r.GetSpdxElementID() + r = nil + r.GetSpdxElementID() +} + func TestReleaseAsset_GetBrowserDownloadURL(tt *testing.T) { tt.Parallel() var zeroValue string From a55457ffae718408b5ccc91c28266ab2c164c391 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Sat, 31 May 2025 19:08:32 +0530 Subject: [PATCH 3/7] added more field specific comments --- github/dependency_graph.go | 46 +++++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index 42e79a489a7..8d618d353f9 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -34,26 +34,46 @@ type RepoDependencies struct { FilesAnalyzed *bool `json:"filesAnalyzed,omitempty"` LicenseConcluded *string `json:"licenseConcluded,omitempty"` LicenseDeclared *string `json:"licenseDeclared,omitempty"` - ExternalRefs []*ExternalRef `json:"externalRefs"` + ExternalRefs []*ExternalRef `json:"externalRefs,omitempty"` } -// ExternalRef represents an external reference (e.g., PURL/SWID/CPE) for a package in the SBOM. +// ExternalRef allows an Package to reference an external sources of additional information, +// like asset identifiers, or downloadable content that are relevant to the package, +// Example for identifiers (e.g., PURL/SWID/CPE) for a package in the SBOM. +// https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field type ExternalRef struct { + // ReferenceCategory specifies the external reference categories such + // SECURITY", "PACKAGE-MANAGER", "PERSISTENT-ID", or "OTHER" + // Example: "PACKAGE-MANAGER" ReferenceCategory string `json:"referenceCategory"` - ReferenceType string `json:"referenceType"` - ReferenceLocator string `json:"referenceLocator"` -} -// Relationship represents a relationship between two packages in the SBOM. -type Relationship struct { - // Element ID - SpdxElementID *string `json:"spdxElementId,omitempty"` + // ReferenceType specifies the type of external reference. + // For PACKAGE-MANAGER, it could be "purl"; other types include "cpe22Type", "swid", etc. + ReferenceType string `json:"referenceType"` - // Related Element ID - RelatedSpdxElement *string `json:"relatedSpdxElement,omitempty"` + // ReferenceLocator is the actual unique identifier or URI for the external reference. + // Example: "pkg:golang/github.com/spf13/cobra@1.8.1" + ReferenceLocator string `json:"referenceLocator"` +} - // Relationship type, e.g., "DEPENDS_ON", "CONTAINS", etc. - RelationshipType *string `json:"relationshipType,omitempty"` +// Relationship provides information about the relationship between two SPDX elements. +// Element could be packages or files in the SBOM. +// For example, to represent a relationship between two different Files, between a Package and a File, +// between two Packages, or between one SPDXDocument and another SPDXDocument. +// https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/ +type Relationship struct { + // SpdxElementId is the identifier of the SPDX element that has a relationship. + // Example: "SPDXRef-github-interlynk-io-sbomqs-main-f43c98" + SpdxElementID *string `json:"spdxElementId"` + + // RelatedSpdxElement is the identifier of the related SPDX element. + // Example: "SPDXRef-golang-github.comspf13-cobra-1.8.1-75c946" + RelatedSpdxElement *string `json:"relatedSpdxElement"` + + // RelationshipType describes the type of relationship between the two elements. + // Such as "DEPENDS_ON", "DESCRIBES", "CONTAINS", etc., as defined by SPDX 2.3. + // Example: "DEPENDS_ON", "CONTAINS", "DESCRIBES", etc. + RelationshipType *string `json:"relationshipType"` } // SBOMInfo represents a software bill of materials (SBOM) using SPDX. From d470d20ee265d175a6312f62f9a3f0eb08f5c66f Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Sat, 31 May 2025 19:46:08 +0530 Subject: [PATCH 4/7] update field name --- github/dependency_graph.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index 8d618d353f9..33fdfcb8b60 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -56,19 +56,19 @@ type ExternalRef struct { ReferenceLocator string `json:"referenceLocator"` } -// Relationship provides information about the relationship between two SPDX elements. +// SBOMRelationship provides information about the relationship between two SPDX elements. // Element could be packages or files in the SBOM. // For example, to represent a relationship between two different Files, between a Package and a File, // between two Packages, or between one SPDXDocument and another SPDXDocument. // https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/ -type Relationship struct { - // SpdxElementId is the identifier of the SPDX element that has a relationship. +type SBOMRelationship struct { + // SPDXElementID is the identifier of the SPDX element that has a relationship. // Example: "SPDXRef-github-interlynk-io-sbomqs-main-f43c98" - SpdxElementID *string `json:"spdxElementId"` + SPDXElementID *string `json:"spdxElementId"` // RelatedSpdxElement is the identifier of the related SPDX element. // Example: "SPDXRef-golang-github.comspf13-cobra-1.8.1-75c946" - RelatedSpdxElement *string `json:"relatedSpdxElement"` + RelatedSPDXElement *string `json:"relatedSpdxElement"` // RelationshipType describes the type of relationship between the two elements. // Such as "DEPENDS_ON", "DESCRIBES", "CONTAINS", etc., as defined by SPDX 2.3. @@ -95,7 +95,7 @@ type SBOMInfo struct { Packages []*RepoDependencies `json:"packages,omitempty"` // List of relationships between packages - Relationships []*Relationship `json:"relationships,omitempty"` + Relationships []*SBOMRelationship `json:"relationships,omitempty"` } func (s SBOM) String() string { From 318fe2ad30c5cb4230e80427c9481fa3b1525469 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Sat, 31 May 2025 20:30:53 +0530 Subject: [PATCH 5/7] update ExternalRef to PackageExternalRef --- github/dependency_graph.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index 33fdfcb8b60..ba5779aff07 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -28,20 +28,20 @@ type CreationInfo struct { type RepoDependencies struct { SPDXID *string `json:"SPDXID,omitempty"` // Package name - Name *string `json:"name,omitempty"` - VersionInfo *string `json:"versionInfo,omitempty"` - DownloadLocation *string `json:"downloadLocation,omitempty"` - FilesAnalyzed *bool `json:"filesAnalyzed,omitempty"` - LicenseConcluded *string `json:"licenseConcluded,omitempty"` - LicenseDeclared *string `json:"licenseDeclared,omitempty"` - ExternalRefs []*ExternalRef `json:"externalRefs,omitempty"` + Name *string `json:"name,omitempty"` + VersionInfo *string `json:"versionInfo,omitempty"` + DownloadLocation *string `json:"downloadLocation,omitempty"` + FilesAnalyzed *bool `json:"filesAnalyzed,omitempty"` + LicenseConcluded *string `json:"licenseConcluded,omitempty"` + LicenseDeclared *string `json:"licenseDeclared,omitempty"` + ExternalRefs []*PackageExternalRef `json:"externalRefs,omitempty"` } // ExternalRef allows an Package to reference an external sources of additional information, // like asset identifiers, or downloadable content that are relevant to the package, // Example for identifiers (e.g., PURL/SWID/CPE) for a package in the SBOM. // https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field -type ExternalRef struct { +type PackageExternalRef struct { // ReferenceCategory specifies the external reference categories such // SECURITY", "PACKAGE-MANAGER", "PERSISTENT-ID", or "OTHER" // Example: "PACKAGE-MANAGER" From 4656c44e334f4818c01b3b83f48fd92ba8a9c69a Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Sat, 31 May 2025 20:40:22 +0530 Subject: [PATCH 6/7] generate scripts with new changes --- github/dependency_graph.go | 6 +++--- github/github-accessors.go | 24 ------------------------ github/github-accessors_test.go | 33 --------------------------------- 3 files changed, 3 insertions(+), 60 deletions(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index ba5779aff07..55468254763 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -64,16 +64,16 @@ type PackageExternalRef struct { type SBOMRelationship struct { // SPDXElementID is the identifier of the SPDX element that has a relationship. // Example: "SPDXRef-github-interlynk-io-sbomqs-main-f43c98" - SPDXElementID *string `json:"spdxElementId"` + SPDXElementID string `json:"spdxElementId"` // RelatedSpdxElement is the identifier of the related SPDX element. // Example: "SPDXRef-golang-github.comspf13-cobra-1.8.1-75c946" - RelatedSPDXElement *string `json:"relatedSpdxElement"` + RelatedSPDXElement string `json:"relatedSpdxElement"` // RelationshipType describes the type of relationship between the two elements. // Such as "DEPENDS_ON", "DESCRIBES", "CONTAINS", etc., as defined by SPDX 2.3. // Example: "DEPENDS_ON", "CONTAINS", "DESCRIBES", etc. - RelationshipType *string `json:"relationshipType"` + RelationshipType string `json:"relationshipType"` } // SBOMInfo represents a software bill of materials (SBOM) using SPDX. diff --git a/github/github-accessors.go b/github/github-accessors.go index 309f8e3fa33..307d6e339d3 100644 --- a/github/github-accessors.go +++ b/github/github-accessors.go @@ -20934,30 +20934,6 @@ func (r *RegistryPackageEvent) GetSender() *User { return r.Sender } -// GetRelatedSpdxElement returns the RelatedSpdxElement field if it's non-nil, zero value otherwise. -func (r *Relationship) GetRelatedSpdxElement() string { - if r == nil || r.RelatedSpdxElement == nil { - return "" - } - return *r.RelatedSpdxElement -} - -// GetRelationshipType returns the RelationshipType field if it's non-nil, zero value otherwise. -func (r *Relationship) GetRelationshipType() string { - if r == nil || r.RelationshipType == nil { - return "" - } - return *r.RelationshipType -} - -// GetSpdxElementID returns the SpdxElementID field if it's non-nil, zero value otherwise. -func (r *Relationship) GetSpdxElementID() string { - if r == nil || r.SpdxElementID == nil { - return "" - } - return *r.SpdxElementID -} - // GetBrowserDownloadURL returns the BrowserDownloadURL field if it's non-nil, zero value otherwise. func (r *ReleaseAsset) GetBrowserDownloadURL() string { if r == nil || r.BrowserDownloadURL == nil { diff --git a/github/github-accessors_test.go b/github/github-accessors_test.go index 3bea6034ab6..f2a51a6028c 100644 --- a/github/github-accessors_test.go +++ b/github/github-accessors_test.go @@ -26965,39 +26965,6 @@ func TestRegistryPackageEvent_GetSender(tt *testing.T) { r.GetSender() } -func TestRelationship_GetRelatedSpdxElement(tt *testing.T) { - tt.Parallel() - var zeroValue string - r := &Relationship{RelatedSpdxElement: &zeroValue} - r.GetRelatedSpdxElement() - r = &Relationship{} - r.GetRelatedSpdxElement() - r = nil - r.GetRelatedSpdxElement() -} - -func TestRelationship_GetRelationshipType(tt *testing.T) { - tt.Parallel() - var zeroValue string - r := &Relationship{RelationshipType: &zeroValue} - r.GetRelationshipType() - r = &Relationship{} - r.GetRelationshipType() - r = nil - r.GetRelationshipType() -} - -func TestRelationship_GetSpdxElementID(tt *testing.T) { - tt.Parallel() - var zeroValue string - r := &Relationship{SpdxElementID: &zeroValue} - r.GetSpdxElementID() - r = &Relationship{} - r.GetSpdxElementID() - r = nil - r.GetSpdxElementID() -} - func TestReleaseAsset_GetBrowserDownloadURL(tt *testing.T) { tt.Parallel() var zeroValue string From c11ffa503ddbce3ad218ba6e0089d1190d6235e5 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Sahu Date: Sat, 31 May 2025 22:52:04 +0530 Subject: [PATCH 7/7] fix lint errors --- github/dependency_graph.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github/dependency_graph.go b/github/dependency_graph.go index 55468254763..b202aafff55 100644 --- a/github/dependency_graph.go +++ b/github/dependency_graph.go @@ -37,7 +37,7 @@ type RepoDependencies struct { ExternalRefs []*PackageExternalRef `json:"externalRefs,omitempty"` } -// ExternalRef allows an Package to reference an external sources of additional information, +// PackageExternalRef allows an Package to reference an external sources of additional information, // like asset identifiers, or downloadable content that are relevant to the package, // Example for identifiers (e.g., PURL/SWID/CPE) for a package in the SBOM. // https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field